Description
In multiple functions, there is a possible way to access the contacts database due to a SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Multiple functions in the Android framework can be triggered to inject arbitrary SQL statements into the contacts database. The injection could allow an attacker to read or modify sensitive personal data and, because of the privilege model of the contacts provider, could promote a local application to a higher privilege context without requiring additional execution rights. Based on the description, this escalation could enable operations normally reserved for system level components.

Affected Systems

The vulnerability impacts devices running the Android operating system distributed by Google. No specific release or version number is indicated, suggesting that the flaw may exist across several Android builds until the related security update is applied.

Risk and Exploitability

Exploitability appears high, as the vulnerability requires only local code execution on the device and no user interaction. Based on the description, it is inferred that an attacker with local access to a device containing the vulnerable component can exploit the flaw. The EPSS score is unavailable and this vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 2, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the most recent Android security update released by Google that addresses the contacts provider SQL injection flaw.
  • Review installed applications and revoke or uninstall any that request sensitive contacts permissions unless they are essential, using Android's permission manager.
  • Configure device management policies to limit database access for non‑system apps, such as applying SELinux policies or OS‑level sandboxing, to reduce the attack surface.

Generated by OpenCVE AI on June 2, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Title Android Contacts Database SQL Injection Enables Local Privileged Escalation
Weaknesses CWE-89
CWE-94

Tue, 02 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In multiple functions, there is a possible way to access the contacts database due to a SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T13:31:26.010Z

Reserved: 2025-10-15T15:41:00.964Z

Link: CVE-2026-0075

cve-icon Vulnrichment

Updated: 2026-06-02T13:31:08.667Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-01T22:16:21.650

Modified: 2026-06-02T14:16:42.027

Link: CVE-2026-0075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T00:45:27Z

Weaknesses